DMARC Record Generator

Generate Your DMARC Record With A Few Clicks

DMARC Record Generator
Create a valid DMARC record in a few clicks to use it in your DNS.
Enter Your Domain Name:
 
DMARC Policy:
 
DMARC Sub Domain Policy:
 
Send Aggregrate Reports To:
Add RUA Address
 
Send Failure Reports To:
Add RUF Address
 
Percentage of Mail Applied To:
 
SPF Identifer Alignment:
 
DKIM Identifer Alignment:
 
Reporting Interval:
 
Failure Reporting Options:
 

Effortless DMARC Record Creation: Streamline Security

This built-in DMARC record generator tool empowers you to strengthen your email security with ease. Forget complex manual configuration – this intuitive feature guides you through the process step-by-step, ensuring a smooth and efficient setup.


Simply enter your domain name and select your preferred policy. The tool offers clear explanations for each option, allowing you to choose whether to monitor (p=none) email activity for informational purposes, quarantine (p=quarantine) suspicious emails for further review, or reject (p=reject) unauthenticated emails outright. Additionally, you can specify email addresses to receive reports detailing email activity. These reports provide valuable insights into how your domain is being used for email and can help identify potential security threats like email spoofing.


No technical expertise is necessary! The generator handles the intricacies of crafting an accurate DMARC record, saving you time and ensuring you have the essential reporting features in place. This simplifies the initial setup and grants you control over your email security by providing valuable insights from DMARC reports. With this knowledge, you can make informed decisions to further protect your organization from email-based attacks.


Once you have it set up, it's time to test it with our very own eMail Tester.

DMARC Record Checker

DMARC Tag Specification Explained

TAG MEANING
v Required: Specifies the version of the DMARC protocol being used. Always set to v=DMARC1 for the current DMARC protocol version.
p Required: Specifies the policy to be enacted by the receiving mail server when DMARC authentication fails.This tag determines what action should be taken if an email fails DMARC checks.

Possible Values:

  • none: Takes no action, but generates DMARC reports.
  • quarantine: Treats the message as suspicious, possibly placing it in the recipient's spam or quarantine folder.
  • reject: Blocks the message outright, preventing delivery to the recipient.
sp Specifies the policy for handling messages from subdomains of the DMARC-aligned domain. Subdomains inherit policies from their parent domain unless explicitly overridden.
rua Specifies the URI(s) to which aggregate DMARC reports should be sent, for example: rua=mailto:your@email.com. Aggregate reports provide statistics about DMARC usage and authentication results.
ruf Specifies the URI(s) to which forensic DMARC reports should be sent (reports about individual failed messages), for example: ruf=mailto:your@email.com. Forensic reports contain detailed information about specific messages that failed DMARC checks.
adkim Specifies how DKIM (DomainKeys Identified Mail) alignment should be handled. DKIM alignment verifies that the DKIM signature on an email matches the sender's domain.

Possible Values:

  • r: Relaxed mode. Allows for intermediate levels of subdomain alignment.
  • s: Strict mode. Requires exact domain name alignment.
aspf Specifies how SPF (Sender Policy Framework) alignment should be handled. SPF alignment verifies that the SMTP MAIL FROM domain matches the domain used in the RFC5322.From header field.

Possible Values:

  • r: Relaxed mode. Allows for intermediate levels of subdomain alignment.
  • s: Strict mode. Requires exact domain name alignment.
fo Determines the level of detail in forensic reports (message-level reports) generated when DMARC authentication fails.

Possible Values:

  • 0: Generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result.
  • 1: Generate reports if any underlying authentication mechanism produces something other than a DMARC pass result.
  • d: Generate reports regardless of the authentication result.
  • s: Generate an SPF failure report if the message failed SPF evaluation, regardless of alignment.
rf This tag specifies the format for forensic (message-level) DMARC reports that are sent to the specified reporting addresses (ruf).

Possible Values:

  • afrf: Specifies the use of the Abuse Reporting Format (ARF) for forensic reports, which provides a standardized format for reporting abusive activity related to email.
  • iodef: Specifies the use of the Incident Object Description Exchange Format (IODEF) for forensic reports, which is another standardized format for reporting security incidents.
pct Specifies the percentage of messages subjected to DMARC policy filtering.Allows gradual enforcement of DMARC policies to monitor impact before full enforcement. Any integer value from 0 to 100.
ri This tag specifies the interval at which aggregate DMARC (Domain-based Message Authentication, Reporting & Conformance) reports should be generated and sent by receivers to the specified reporting addresses (rua). For example: ri=86400 indicates that aggregate reports should be sent daily (every 86400 seconds).

Frequently Asked Questions

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. It builds on the widely deployed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols, adding a critical function of reporting to senders about whether their emails are passing or failing these mechanisms.

DMARC is important because it helps improve email security and reduces the risk of email phishing and spoofing attacks. By implementing DMARC, organizations can ensure that emails sent from their domain are authenticated properly, preventing malicious actors from sending fraudulent emails on behalf of their domain.
To generate a DMARC record, follow these steps:
  • Step 1: Identify your domain's DNS hosting provider where you will add the DMARC record.
  • Step 2: Create the DMARC TXT record with the appropriate policy. A basic DMARC record includes the following elements:
    • v=DMARC1 (specifies the version)
    • p=none/quarantine/reject (policy for handling unauthenticated emails)
    • rua=mailto:dmarc-reports@example.com (address for aggregate reports)
    • ruf=mailto:dmarc-forensic@example.com (optional: address for forensic reports)
    • pct=100 (percentage of emails to apply the policy to)
  • Step 3: Publish the DMARC record in your DNS by adding a new TXT record with the name _dmarc.yourdomain.com and the value containing your DMARC policy.
  • Step 4: Monitor the reports sent to the addresses specified in the DMARC record to analyze the email authentication results and adjust your policy as needed.
A DMARC record consists of several key components:
  • Version (v): Specifies the DMARC version, which is always DMARC1.
  • Policy (p): Indicates the policy to be applied to emails that fail DMARC authentication (none, quarantine, or reject).
  • Aggregate Reports (rua): Defines the email address to which aggregate reports should be sent.
  • Forensic Reports (ruf): (Optional) Specifies the email address for forensic reports, which provide detailed information on DMARC failures.
  • Percentage (pct): Indicates the percentage of messages to which the DMARC policy is applied. The default is 100%.
  • Subdomain Policy (sp): (Optional) Specifies the policy for subdomains of the main domain.
  • Alignment Mode (aspf and adkim): Defines the alignment mode for SPF and DKIM (strict or relaxed).
DMARC aggregate reports, also known as RUA reports, are XML documents sent by email receivers to the email addresses specified in the DMARC record. These reports provide an overview of email authentication results for your domain, including:
  • The number of emails received from your domain.
  • The number of emails that passed or failed DMARC authentication.
  • Details about the source IP addresses of the emails.
  • The DMARC policies applied to the emails.
These reports help domain owners understand how their emails are being authenticated and identify any issues with email delivery and authentication.
DMARC forensic reports, also known as RUF reports, provide detailed information about individual emails that failed DMARC authentication. These reports include:
  • The full email headers of the failed message.
  • Information about the authentication failure, such as whether it was an SPF or DKIM failure.
  • Details about the source IP address and the sending domain.
Forensic reports are useful for investigating specific authentication failures and identifying potential security issues.
Interpreting DMARC reports involves analyzing the data provided to understand email authentication results and identify any issues. Key elements to review include:
  • Source IP: Identify the IP addresses sending emails on behalf of your domain. Ensure these are legitimate sources.
  • SPF and DKIM Results: Check whether emails are passing SPF and DKIM checks. Identify any failures and investigate their causes.
  • DMARC Policy Applied: Review the DMARC policies applied (none, quarantine, reject) and assess their effectiveness.
  • Email Volume: Monitor the volume of authenticated versus unauthenticated emails to gauge the overall health of your email ecosystem.
Use this information to refine your DMARC policy and improve email authentication over time.
Implementing DMARC offers several benefits, including:
  • Enhanced Email Security: Protects your domain from email spoofing and phishing attacks.
  • Improved Email Deliverability: Increases the likelihood that legitimate emails will reach recipients' inboxes.
  • Brand Protection: Safeguards your brand reputation by preventing malicious actors from sending fraudulent emails using your domain.
  • Visibility: Provides insights into who is sending emails on behalf of your domain through detailed reports.
  • Compliance: Helps meet regulatory requirements for email authentication and security.
Implementing DMARC can present several challenges, including:
  • Complexity: Setting up DMARC requires a good understanding of email authentication protocols like SPF and DKIM.
  • Resource Intensive: Monitoring and interpreting DMARC reports can be time-consuming.
  • Third-Party Senders: Ensuring that all third-party email senders are DMARC-compliant can be challenging.
  • Policy Configuration: Determining the appropriate DMARC policy (none, quarantine, reject) for your domain can be difficult.
  • DNS Configuration: Properly configuring DNS records for DMARC, SPF, and DKIM can be complex.
Overcoming these challenges often requires a combination of technical expertise, proper planning, and ongoing monitoring and adjustment of DMARC policies.
Monitoring DMARC effectiveness involves several steps:
  • Regularly Review Reports: Analyze DMARC aggregate and forensic reports to understand email authentication results and identify issues.
  • Track Key Metrics: Monitor metrics such as email authentication pass/fail rates, volume of emails sent, and the effectiveness of DMARC policies.
  • Adjust Policies: Based on the insights from the reports, adjust DMARC policies to improve authentication rates and enhance security.
  • Work with Third-Party Senders: Ensure that all third-party email senders comply with your DMARC, SPF, and DKIM policies.
  • Stay Informed: Keep up to date with best practices and changes in email authentication protocols to ensure your DMARC implementation remains effective.
Effective monitoring helps to maintain the security and deliverability benefits of DMARC over time.
SPF, DKIM, and DMARC are all email authentication protocols, but they serve different purposes:
  • SPF (Sender Policy Framework): Allows domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. It helps to prevent email spoofing.
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to emails, which can be verified by the receiving email server to ensure the email has not been altered during transit and that it was sent by an authorized sender.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM by adding a layer of policy and reporting. It allows domain owners to specify how to handle emails that fail SPF or DKIM checks and provides visibility into email authentication results through reports.
Together, these protocols enhance email security and help to prevent email fraud and phishing.
While DMARC significantly reduces the risk of email spoofing, it cannot prevent all instances of spoofing. Some limitations include:
  • Non-DMARC Compliant Domains: Emails from domains that do not implement DMARC cannot be fully protected from spoofing.
  • Forwarding Issues: Some email forwarding services can break the SPF/DKIM authentication, causing legitimate emails to fail DMARC checks.
  • Subdomain Spoofing: If the DMARC policy does not include a subdomain policy (sp), subdomains can be vulnerable to spoofing.
Despite these limitations, DMARC is a powerful tool in the fight against email spoofing and should be part of any comprehensive email security strategy.
To implement DMARC for a new domain, follow these steps:
  • Step 1: Ensure SPF and DKIM are properly set up for your domain.
  • Step 2: Create your DMARC policy. Start with a policy of "none" to gather data without impacting email delivery.
  • Step 3: Publish the DMARC record in your DNS by adding a TXT record for _dmarc.yourdomain.com with your DMARC policy.
  • Step 4: Monitor the DMARC reports sent to the addresses specified in your DMARC record. Use these reports to understand how your emails are being authenticated and identify any issues.
  • Step 5: Adjust your DMARC policy based on the insights gained from the reports. Gradually move to a more stringent policy (quarantine or reject) as you gain confidence in your email authentication setup.
Implementing DMARC effectively involves continuous monitoring and adjustment to ensure optimal email security and deliverability.
Several tools can assist with DMARC implementation and monitoring:
  • DMARC Analyzers: Tools like DMARCian, Agari, and Valimail provide comprehensive analysis and reporting for DMARC.
  • DNS Management Tools: Platforms like Cloudflare, Amazon Route 53, and Google Cloud DNS simplify the process of managing DNS records for DMARC.
  • Email Authentication Services: Services like SendGrid, Mailgun, and Postmark offer built-in support for SPF, DKIM, and DMARC.
  • Monitoring Tools: Tools like Splunk and SolarWinds can help monitor DMARC reports and track email authentication metrics.
Using these tools can streamline the implementation and management of DMARC, ensuring effective email security and deliverability.
DMARC can significantly improve email deliverability by ensuring that legitimate emails are authenticated and reducing the risk of spoofing. Key benefits include:
  • Increased Trust: Recipients are more likely to trust emails from domains with DMARC protection, leading to higher open rates and engagement.
  • Reduced Spam: DMARC helps to prevent spam and phishing emails from being sent using your domain, improving your sender reputation.
  • Better Inbox Placement: Authenticated emails are more likely to be delivered to recipients' inboxes rather than being filtered as spam.
While DMARC improves overall email deliverability, it requires proper implementation and monitoring to achieve the best results.
Best practices for DMARC implementation include:
  • Start with a "None" Policy: Begin with a policy of "none" to gather data without affecting email delivery.
  • Monitor Reports: Regularly review DMARC reports to understand authentication results and identify issues.
  • Gradually Enforce Policies: Move to more stringent policies (quarantine or reject) based on the insights gained from reports.
  • Include All Subdomains: Use the "sp" tag to apply the DMARC policy to all subdomains.
  • Keep DNS Records Updated: Ensure that SPF and DKIM records are accurate and up-to-date.
  • Work with Third-Party Senders: Ensure that all third-party email senders comply with your DMARC, SPF, and DKIM policies.
Following these best practices can help ensure a successful DMARC implementation and improve email security and deliverability.

Are You Ready To Experience The Difference?

CC Logo

Become a part of the Campaign Cleaner community today, and join countless satisfied customers who have witnessed significant improvements in their email deliverability and campaign success. Don't let HTML issues hold you back; let Campaign Cleaner optimize your campaigns and boost your inbox rates

Let's Get Started